OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [was] The ID generation issue

Jeff Williams wrote:
> I agree with the idea to delete the date from the ID.  I also like the 
> idea behind the URI approach to ID's.  But I think that the ID should be 
> separate from the location of the repository where the evdl entries are 
> stored.
>    http://repository.com/evdl/thinkingstone/protect/123456

   You want to separate the functions of publishers and repositories?
   That's a good point. I agree.


> Your point about different parts of the EVDL having different IDs is 
> interesting.

   Well, I'd really like to see the parts be independent from each
   other. Otherwise I don't see who will adopt them as standard.
   Vulnerability scanner people are not interested in metadata or
   protect. Web application firewall people are not interested in
   anything but Protect. And so on...

   Take me, for example. I am prepared to convert my ModSecurity Rule
   Database to store EVDL Protect rules. I can probably afford to
   create Protect entries but I don't have resources to deal with
   the other parts. For me, the ideal thing would be to reference
   the existing SecurityFocus or Secunia (or some other) vulnerability
   entries.

   I would be happy to reference a main EVDL entry somewhere... but
   it doesn't exist.


> Personally, I would like to make sure that all the EVDL 
> parts related to a single vulnerability can be correlated somehow.

   Agreed, but what is a single vulnerability? It would be great if
   we could fund an EVDL vulnerability database effort but I don't
   think that's likely to happen. Otherwise if you don't have
   a single metadata entry then how are you going to find part
   instances that relate to the same problem?

   The best approach I can think of is to specify a search mechanism
   and to use various search criteria: vendor, product name, product URL,
   product version come to mind. External references could be useful
   too. E.g. "show me all entries related to PHPBB, version 4.0.10".

   It would be the job of the repository to index the entries and
   to produce search results.

   After considerable consideration I believe the following is the
   only feasible solution:

   tstone-01234

   for the main entry and:

   tstone-01234-protect

   for other EVDL parts.

-- 
Ivan Ristic (http://www.modsecurity.org)

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]